Chat now with support
Chat with Support

Identity Manager 8.0 - Target System Synchronization Reference Guide

Target Synchronization with the Synchronization Editor Basics of Target System Synchronization Setting up Synchronization
Starting the Synchronization Editor Creating a Synchronization Project How to Configure Synchronization
Setting Up Mappings Setting up Synchronization Workflows Connecting Systems Editing the Scope Using Variables and Variable Sets Setting up Start up Configurations Setting up Base Objects
Overview of schema Classes Customizing Synchronization Configuration Checking Synchronization Configuration Consistency Activating the Synchronization Project
Running Synchronization Synchronization Analysis Setting up Synchronization with Default Connectors Updating Existing Synchronization Projects Additional Information for Experts Error Handling Appendix: Example of a Configuration File

Updating Schemas

To include schema data that have been deleted through compressing and schema modifications in the synchronization project, update each schema in the synchronization project. This may be necessary if:

  • A schema was changed by:
    • Changes to a target system schema
    • Customizations to the One Identity Manager schema
    • A One Identity Manager update migration
  • A schema in the synchronization project was shrunk by:
    • Activating the synchronization project
    • Synchronization projectClosed initial save
    • Compressing a schema

To update a system connection schema

  1. Select the category Configuration | Target system.

    - OR -

    Select the category

    Configuration | One Identity Manager connection.

  2. Select the view General and click Update schema.
  3. Confirm the security prompt with Yes.

    This reloads the schema data.

Then you can add the changes to the schema property mapping.

NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.
Related Topics

Synchronizing and Provisioning Memberships

Synchronizing and Provisioning Memberships

Memberships, for example, user accounts in groups, are saved in assignment tables in the One Identity Manager database. Membership lists are commonly maintained as an object property in the target system. If a membership is modified in the One Identity Manager, the object must be updated.

Changing a Membership Label

Changing a Membership Label

To label whether a membership was changed, a base table assignment is maintained, which maintains information about the last change of membership in the column Dependencies modification date (XDateSubItem). During provisioning of modified memberships, One Identity Manager decided which objects must be updated based on this date. In the case of synchronization with revision filtering, the highest value from XDateSubItem and XDateUpdated is used as a revision counter for the database objects.

If a membership is changed in One Identity Manager, the change date for dependencies must updated so that the modification can be provisioned.

Prerequisites

  • The base table has the column XDateSubItem.

    NOTE: If this column does not exist in the assignment's base table, you can extend the base table. Create the column CCC_XDateSubItem to do this.
  • The property Update dependencies modification date is true in the table relation between assignment and base table (QBMRelation.IsForUpdateXDateSubItem = TRUE).

Figure 13: Memberships in the One Identity Manager database

If a membership changes (through insertion, deletion or resetting of status "Outstanding") a task for updating the column XDateSubItem of the base table is queued in the DBQueue (QBM-K-XDateSubItemUpdate). If necessary, more processing tasks, for example, calculating inheritance, are queued in the DBQueue. These tasks are handled first. The task QBM-K-XDateSubItemUpdate is deferred until all the processing tasks for the modified object and the module to which it belongs, have been handled. If other memberships in this module are changed in the meantime, these changes are collected by the existing task for updating the column XDateSubItem and subsequently handled together. Once the task QBM-K-XDateSubItemUpdate is run, an update task for the column XDateSubItem is queued in the Job queue. The column value is updated. The task for provisioning changed memberships is then placed in the Job queue.

Figure 14: Processing a Membership Change in One Identity Manager

Example

Active Directory user account membership in an Active Directory group is deleted in One Identity Manager (table ADSAccountInADSGroup). The change date for dependencies is updated on the Active Directory group (ADSGroup.XDateSubItem). The change to the membership for this Active Directory group is provisioned in the target system. The next time synchronization with revision filtering is run, XDateSubItem is taken as the highest change date for the revision counter and is compared to the schema type's revision.

Related Topics

Single Membership Provisioning

Single Membership Provisioning

During the membership provisioning, changes made in the target system will probably be overwritten. This behavior can occur under the following conditions:

  • Memberships are saved in the target system as an object property in list form (Example: List of user accounts in the property Members of an Active Directory group).
  • Memberships can be modified in either of the connected systems.
  • A provisioning workflow and provisioning processes are set up.

If a membership in One Identity Manager changes, the complete list of members is transferred to the target system by default. Memberships, previously added to the target system are removed by this; previously deleted memberships are added again.

To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. To do this, you must set the option Enable merging on the assignment table (DPRNameSpaceHasDialogTable.IsAdHocSingleMemberShip = TRUE). For more detailed information about setting this option, see the administration guides for connecting each target systems.

Additional processing steps are executed for tables with this option enabled.

  1. A task is set up in the DBQueue Processor to update the table DPRMemberShipAction. This table contains the modified objects and operations to be run.
  2. The membership list of modified objects is compared to the table DPRMemberShipAction. Therefore, if only one membership changes, not the entire members list in the target system has to be updated. Only each modified membership is transferred to the members list. Changes to memberships of the modified object, which were made in the target system in the meantime, are therefore not overwritten.
  3. Once the change has been successfully provisioned in the target system, the entry is deleted from the table DPRMemberShipAction. If an error occurs during provisioning, the entry remains in the table.
Table 28: Handling Entries in the Table DPRMemberShipAction
ProvisioningClosed Process Entry in DPRMemberShipAction Comment
Success Deleted  
Fail Remains intact A new modification to the object is reprocessed by provisioning and deleted on success.
Re-enabled Reprocessed  
Failed and deleted Remains intact Deleted during daily maintenance.

All entries without a provisioning task in the Job queue are deleted in the process of these maintenance jobs.

 

NOTE: The complete members list is updated by synchronization. During this process, objects with changes but incomplete provisioning are not handled. These objects are logged in the synchronization log.
Related Documents